Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the result of next event by searching for a key word

t_splunk_d
Path Finder
‎12-20-2023 08:31 AM

I want to get the result of the next line of the log message when I encounter  a key word.

Example log:

----error in checking status--------

----Person Name: abcd, Status=active---------

-----Check for Status------

------success : true--------

-----Start  Processing XXX----------

----Person Name: abcd, Status=active---------

-----Check for Status------

------success : true--------

-----Start  Processing XXX----------

----Person Name: abcd, address:yzgj---------

-----Check for Person------

------success : true--------

-----Start  Processing XXX----------

 

In the above log I want to  capture the person name  after the  "Check for Person". The log is indexed by _time.  I want to display the following result:

 

_time             Process                           Person Name                            

                           XXX                                       abcd

I don't want to use map or transactions as those are expensive as there are lot of events.

Thank you for the help.

 

Labels (5)
0 Karma
Reply

dtburrows3
Builder
‎12-20-2023 10:04 AM

You may be able to use streamstats assuming that there is some degree off distribution of _time between each event.

<base_search>
    | rex field=_raw "Processing\s+(?<process>[^\-]+)\-"
    | rex field=_raw "Person\s+Name\:\s+(?<person_name>[^\,]+)\,"
    | sort 0 +_time
    | streamstats reset_before="("isnotnull(process)")"
        values(process) as current_process
    | streamstats window=2
        first(_raw) as previous_log
    | eval
        checked_person_name=if(
            match(previous_log, "\-Check\s+for\s+Person\-"),
                'person_name',
                null()
            )  
    | stats
        min(_time) as _time
            by current_process, checked_person_name
    | fields + _time, current_process, checked_person_name

 
The final output should look something like this

dtburrows3_0-1703095211553.png

The table before the final stats aggregation looked like this and show more context around what the streamstats are doing here.

dtburrows3_1-1703095279517.png

Note: For this method to work properly _timestamps of each process event shouldn't be exactly the same, there would need to be some sort of step up in time to the next event (event if it is milliseconds). This is because we need the events in the correct sequence for the streamstats to work as expected.

 

0 Karma
Reply

t_splunk_d
Path Finder
‎12-22-2023 01:13 PM

@dtburrows3  We are so close. Actually I did not mention about the error. The logs looks like this:
----error in checking status--------

----Person Name: abcd, Status=active---------

-----Check for Status------

------success : true--------

-----Start  Processing XXX----------

So I want to get the Person name for only  "error in checking status"

0 Karma
Reply

dtburrows3
Builder
‎12-22-2023 02:11 PM

I think the addition of a few evals can account for the error line as well.

Maybe something like this?

<base_search>
    | rex field=_raw "Processing\s+(?<process>[^\-]+)\-"
    | rex field=_raw "Person\s+Name\:\s+(?<person_name>[^\,]+)\,"
    | sort 0 +_time
    | streamstats reset_before="("isnotnull(process)")"
        values(process) as current_process
    | streamstats window=2
        first(_raw) as previous_log
    | rex field=previous_log "Person\s+Name\:\s+(?<previous_log_person_name>[^\,]+)\,"
    | eval
        checked_person_name=if(
            match(previous_log, "\-Check\s+for\s+Person\-"),
                'person_name',
                null()
            ),
        status_error_person=if(
            match(previous_log, "Person\s+Name:\s+") AND match(_raw, "\-error\s+in\s+checking\s+status"),
                'previous_log_person_name',
                null()
            )
            
 
    | stats
        min(_time) as _time
            by current_process, status_error_person
    | fields + _time, current_process, status_error_person
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-20-2023 09:45 AM

Hi @t_splunk_d ,

let me understand: you have each row in a different event and you're sure that the event are in this sequence.

I suppose that you already extracted Process and Person_Name fields, in this case you could run something like this:

<your_search>
| transaction startswith="Start  Processing" maxevents=2
| table Process Person_Name

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...